Your SlideShare is downloading. ×
  • Like
Security Testing For Web Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Security Testing For Web Applications

  • 2,661 views
Published

Causes of vulnerabilities …

Causes of vulnerabilities
Security testing concepts
Security Testing Types
Main methods of manual security testing
URL manipulation
SQL injection
XSS (Cross Site Scripting)
Automated security testing tools
------------------------------------------------
Created by: Kristina Filipyan
Reviewed by: Vladimir Soghoyan
Ogma Applications

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,661
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
23
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Security Testing For Web Applications Created by: Kristina Filipyan Reviewed by: Vladimir Soghoyan Ogma Applications
  • 2. Causes of vulnerabilities  Design and development errors  Poor system configuration  Human errors
  • 3. Security testing concepts  Authentication Determining the act of confirming the truth of an attribute of a datum or entity.  Authorization Determining that a requester is allowed to receive a service or perform an operation.  Confidentiality A security measure which protects the disclosure of data or information to parties other than the intended.  Integrity Whether the intended receiver receives the information or data which is not altered in transmission.  Non-repudiation (session time limitations) Interchange of authentication information with some form of provable time stamp e.g. with session id .
  • 4. Security Testing Types  Vulnerability Scanning Method to assess computers, computer systems, networks or applications for weaknesses.  Security Scanning Security Scanning is a Vulnerability Scan  Penetration Testing Method of evaluating the security of a computer system or network by simulating an attack  Risk Assessment Risk Assessment involves a security analysis of interviews compiled with research of business, legal, and industry justifications.  Security Auditing Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code.  Ethical Hacking This is basically a number of Penetration Tests on a number of systems on a network segment.
  • 5. Why Security testing is needed?  To secure financial data while transferring between different system  To secure user data  To find security vulnerabilities in an application
  • 6. Main methods of manual security testing  URL manipulation  SQL injection  XSS (Cross Site Scripting)
  • 7. URL manipulation through HTTP GET methods examples  Search for directories making it possible to administer the site: http://target/admin/ http://target/admin.cgi  Search for a script to reveal information about the remote system: http://target/phpinfo.php3  Search for backup copies. The .bak extension is generally used and is not interpreted by servers by default, which can cause a script to be displayed: http://target/.bak
  • 8. SQL Injection examples  SELECT fieldlist FROM table WHERE field = ‘username@domain.com'';  SELECT fieldlist FROM table WHERE field = 'x' AND email IS NULL; --';  SELECT email, passwd, login_id, full_name FROM table WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';
  • 9. Cross Site Scripting (XSS)  '';!--"<XSS>=&{()}  <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  <IMG SRC="javascript:alert('XSS');">
  • 10. XSS Attack example on RockSquare: XSS Input XSS Attack Results
  • 11. Automated security testing tools:  NMAP (free source) Security scanner used to discover hosts and services on a computer network.  GFI LANguard (licensed) Network Security Scanner and Vulnerability Management Tool.
  • 12. What is Zenmap ? Zenmap is the official Nmap Security Scanner GUI  Zenmap action shots: Nmap Output Hosts and Posts Topology Host Details
  • 13. Nmap Output: The “Nmap Output” shows scanning results.
  • 14. Hosts and Ports “Ports / Hosts” tab shows all the hosts which have that port open filtered, or closed.
  • 15. Topology The “Topology” tab is an interactive view of the connections between hosts in a network.
  • 16. Host Details The “Host Details” tab breaks all the information about a single host into a hierarchical display.
  • 17. The goal of the Nmap  Nmap sends specially crafted packets to the target host and then analyzes the responses.  Nmap can determine the operating system of the target, names and versions of the listening services, estimated uptime, type of device, and presence of a firewall.
  • 18. Thank You